Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

4/8/2020
07:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Keeping Vigilant for BEC Amid COVID-19 Chaos

FBI and security experts warn that attackers are particularly targeting cloud-based email systems at the moment.

This week the US Federal Bureau of Investigations (FBI) urged businesses and remote workers to be extra wary of business email compromise (BEC) scams through cloud-based email, warning that attackers have redoubled their efforts to carry out BEC attacks in the wake of the COVID-19. 

In a public service announcement released by the FBI's Internet Crime Complaint Center (IC3) on Monday, the feds warned that cybercriminals are specifically going after organizations that use cloud-based email systems with BEC attempts, cashing in on the fact that many victims will not have taken the care to turn on the security features on these platforms that need to be manually configured and enabled.

FBI's IC3 calculates that between January 2014 and October 2019 alone it has recorded $2.1 billion in actual losses from BEC scams targeting just two popular cloud-based email services.  

Meanwhile, the FBI National Press Office on Monday also sent out a release that warned that the agency anticipates a general rise in BEC schemes to profit off of the chaos, urgency, and user distraction wrought by the global pandemic. For example, officials noticed that "there has been an increase in BEC frauds targeting municipalities purchasing personal protective equipment or other supplies needed in the fight against COVID-19."

BEC scams vary based on the creativity of the attacker, but the general jist is that they seek out well-placed individuals who control financial accounts at their organization. Using tactics like email account takeover or spoofing, the bad guys will impersonate a colleague or boss — sometimes the CEO, sometimes a vendor, sometimes a highly ranked individual in another department —and try to convince their mark via email to make a very expensive mistake. In some instances they will try to trick the person to transfer money to the fraudster for fictionally "legitimate" purposes or to make last-minute changes in details in an existing financial transaction to benefit the criminal.

These kinds of technology-enhanced cons have cost organizations millions of dollars at a time. 

"It is important for leaders to recognize that BEC email fraud and email account compromise have grown to become probably the most expensive problem in all of cybersecurity," says Sherrod DeGrippo, senior director of threat research and detection for Proofpoint.

In fact, FBI IC3 recently noted in its 2019 Internet Crime Report that BEC scams accounted for 40% of the losses for cybercrime last year. That number is likely to spike even further as criminals see BEC in the pandemic as low-lying fruit. The rapid distribution of employees to makeshift work-from-home situations, the use of unfamiliar devices, the distractions and anxiety created by illness and business disruption, have all combined to create an ideal BEC hunting ground for the bad guys.

"Employees working from home are likely to be even more distracted than usual, with children, household chores, and coronavirus anxieties all competing for their attention," explains Seth Blank, vice president of standards and new technologies at Valimail. "That will make them even less attentive to the subtle clues that an email is a phishing attack. And, when working from home, they're also more likely to be using a small screen or even their cellphones to manage email, which can make some of these phish attempts — which used bogus sender identities — nearly impossible to detect."

Phishy Cloud-Based Email 

They're also more likely to be communicating cloud-based email services, sometimes for the first time in an official business setting. According to the FBI, criminals have particularly been ramping up on opportunistic phishing campaigns using kits that impersonate popular cloud-based email services. 

"Cloud services are particularly appealing for cybercriminals because users are typically familiar with these tools and are likely to click on messages associated with them," says DeGrippo. "Users also typically use cloud accounts outside of the security protection of their organization, opening them up to potential compromise."

Once the criminals get access into a victim's cloud account, FBI officials say they will often analyze the content of email stores to look for evidence of financial transactions. If they find it, sometimes they'll configure mailbox rules of that person to delete messages about transactions or automatically forward relevant messages to the attacker's outside email account. That gives them free reign to insert themselves in the communication chain between the victim and third parties like vendors or customers to try and get pending or future payments redirected to fraudulent accounts. 

From a technical perspective, the FBI recommends that organizations head these cloud-based email BEC scams off at the pass by prohibiting automatic forwarding to external addresses, using multifactor authentication and prohibiting legacy protocols that can circumvent MFA, monitoring email settings changes, and configuring Sender Policy Framework (SPF), DomainKeys Identified Mail (DKIM), and Domain-based Message Authentication Reporting and Conformance (DMARC) to prevent spoofing and validate email.

Meanwhile, according to the FBI, be on the lookout for these red flags for a BEC amid the COVID-19 lockdown:

  • Unexplained urgency
  • Last minute changes in wire instructions or recipient account information
  • Last minute changes in established communication platforms or email account addresses
  • Communications only in email and refusal to communicate via telephone or online voice or video platforms
  • Requests for advanced payment of services when not previously required
  • Requests from employees to change direct deposit information

Ultimately, it is going to be up to organizations to pass this knowledge on to workers who are already shooting from the hip in very unusual working circumstances. 

"Working remotely 100 percent of the time is different than working from home once or twice a week," DeGrippo says. "Extra vigilance is required especially regarding the links you are clicking on, and the funds you wire, because remote working often means you aren't protected by the same safeguards your office has in place; nor is it easy to check with colleagues or partners to verify the authenticity of a payment request."

Related Content:

Check out this listing of free security products and services developed for Dark Reading by Omdia analysts to help you meet the challenges of COVID-19. 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-13768
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
CVE-2020-13849
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
CVE-2020-13848
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
CVE-2020-11682
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
CVE-2020-12847
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...